NIST Cybersecurity Framework: Donít Underestimate It

A cybersecurity framework for critical infrastructure owners is voluntary but will become the de facto standard for litigators and regulators. Here's how to prepare.

Any company that is managing critical infrastructure in the US and disregards the Preliminary Cybersecurity Framework, issued by the National Institute of Standards and Technology (NIST) in late October, does so at its own peril. The framework, which is now in its final comment stage and due to be released in mid-February, lays out a set of comprehensive but voluntary cybersecurity practices.

However, critical infrastructure owners need to recognize that, if a company's cybersecurity practices are ever questioned during a regulatory investigation and litigation, the baseline for what's considered commercially reasonable is likely to become the NIST Cybersecurity Framework.

The Department of Homeland Security defines critical infrastructure companies broadly to include banking and finance, communications, critical manufacturing, the defense industrial base, energy, emergency services, food and agriculture, healthcare, information technology, utilities, and transportation systems. These companies should be prepared to document and demonstrate that their cybersecurity practices are consistent with the practices promoted through the NIST framework.

The framework was issued at the direction of the White House in February under Executive Order 13636. The order tasked the NIST to develop a "set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks."

The NIST has conducted four cybersecurity workshops, and it consulted with more than 3,000 individuals and organizations on best-practices for securing IT infrastructure prior to releasing the framework. That level of consultation in creating the framework -- and the broad industry input -- support the notion that the framework will be recognized as an industry standard.

There are no surprises in the framework, since it represents a summary of best-practices. It provides companies with standardized criteria for analyzing and mitigating risks. Those risks are organized around five core activities that a company's management and IT security teams routinely must perform when dealing with security risks: identify, protect, detect, respond, and recover. For each of these activities, the framework sets out a number of methods, practices, and strategies it recommends for effectively minimizing cyberrisk.

The NIST framework also establishes four implementation tiers, which describe how extensively a company might manage its cybersecurity risks. The higher the tier, the more advanced a company's risk management procedures become.

Critical infrastructure companies defending their cybersecurity practices in litigation or regulatory investigations should be prepared to show that the practices adhere to Tier 4, considered "adaptive," meaning a company is regularly evaluating the threats it faces, testing its procedures, and modifying these procedures where appropriate to address new threats.

The framework also highlights why it is important for senior management to establish and supervise a cybersecurity program. The framework places senior management at the top of the decision-making process and holds senior managers responsible for compliance with the framework. Although senior managers without a technical background might be tempted to defer responsibility to their IT departments, complying with the framework requires them to be educated about the choices their company faces and to take responsibility for allocating appropriate resources to address risks.

Ultimately, the NIST framework seeks to establish a common vocabulary for companies to discuss and evaluate one another's cybersecurity practices. If the framework is used as an industry standard in a legal proceeding, it won't be enough for a company to have engaged in practices similar to those described in the framework. It must be able to document its compliance with the framework in the language of the framework.

There are additional benefits companies might want to consider. The Obama administration is considering certain incentives to promote the framework and spur its adoption. Those incentives might include cybersecurity insurance, rate recovery, process preference, and grants for adopters.

In preparation for potential recognition of the framework as an industry standard for critical infrastructure companies, these companies should consider doing the following.

Revise security policy documents to adopt and reflect the language and vocabulary of the framework.

Ensure that senior management is active in establishing a cybersecurity strategy for the company and reviewing the implementation of that strategy.

Foolproof cybersecurity protection does not exist. But by taking these steps, a critical infrastructure company will be well positioned to defend its practices as meeting industry standards when things go wrong.

Gerald Ferguson serves as the coordinator for the Intellectual Property, Technology, and Media Group in BakerHostetler's New York office and as the mational co-leader of its Privacy and Data Protection Team.

0pen testing helps companies become more secure by finding and analyzing their insecurities, but pen test services can be fraught with their own kind of risk. In this Dark Reading report, Choosing, Managing, And Evaluating A Penetration Testing Service, we recommend what to look for in a provider and its wares, how to get what you pay for, and how to ensure that pen testing itself doesn't open the company or its employees up to new risk (free registration required).

Cyber Security World Conference 2014 New York City, November 21, is the only forum where information security authorities and innovative service providers will bring their latest thinking to hundreds of senior executives focused on protecting today's enterprises and learning more about the National Institute of Standards and Technology cybersecurity framework.

Watch for our digital report -- Protecting Critical Infrastructure – A progress report on how the U.S. Government, industry groups and private sector owners of America's critical infrastructure are working to adopt common practices to protect against cyber attacks... coming April 21.

This framework is virtually useless. What small business owner, who has only limited resources and overhead, is going to spend a minute trying to translate "government speak" to commercial operations. There is already an overload of existing frameworks and standards: PCI, HIPAA, SOC 1/2/3, and ISO. ISO is an "international standard."

Small and medium business (SMB) are shifting their information technolgy services to "the cloud" and platform/software as a service models. Google Mail, PayChecx, Salesforce, and Aquia Cloud (Drupal) have taken the place of traditional on-site infrastructure. A more appropriate framework for 2014 should have focused on outsourcing and contracts (service level agreements).

IMHO: This framework and DHS's insistance on handling the implementation is just another way for DHS to attempt to show their value. It's not going to work. DHS hasn't proven they are capable of handling this mission. DHS has absolutely no authority over commercial companies.

The people who wrote this framework are smart. The framework itself is going to have absolutely no impact on SMBs.

Gerald, now that NIST has issued its Version 1.0 of the new Cybersecurity Framework, which seems a bit stripped down from the draft we've all been looking at, how have your views about adoption changed?

Your point about incentives is well taken. Part of the efforts outlined in the Executive Order calls for exploring ways to provide incentives to critical infrastructure owners, through insurance cost breaks for example. It's complicated with so many industries, but your right, there will need to be a big stick as well as big carrots here.

This is a great article. The challenge I see in the adoption of the NIST Cyber framework will be the lack of a reward mechanism to enable small and medium businesses to embrace the framework. Large businesses will do it for good practices.

Case in point, when HIPAA came out back in 2004? it was mandatory for covered entities, which by definition at the time, were the health plans, health care clearinghouses, etc. 'Business associates' of the CEs were encouraged to be comply to the regs but, during that time, were not obligated. What CMS had found later in subsequent years, that the BAs are just as noncompliant as the rest, and the enforcement power to be enabled. Subsequently, the scope was broaden to the BAs and enforcement actions such as financial penalties were taken. In 2013 to date we have seen about $900k per entity in term of penalties for noncompliance.

The point is that, where there is big stick, there will be adoption. Where there is no stick there will be no adoption as adoption costs resources. Voluntary adoption needs incentives such as those enjoyed in health IT where such financial incentives were given to stimulate adoption (physician e-Prescription).

Perhaps NIST will come back to the law makers with financial incentives such as reduced tax break, tax credit (similar to Energy Star for homeowners) for the businesses that can effectively demonstrated their embrace to the framework. And that will open another market to talk about similar to 3PAO of FedRAMP.

You're right, it is an important document, though hardly a first step. The Bush and Obama administrations have issued a number of executive orders, created task forces, and commissioned recommendations before. This document does have the weight of a presidential executive order, and President Obama's name, behind it.

As to the focus, it's not brick and mortar but rather a comprehensive collection of practices for managing cybersecuritiy risks -- broken down into five core areas on how to Identify, Protect, Detect, Respond, and Recover from cyber security threats.

The 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?